Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to automate Enable and Disable of Splunk Alerts Based on logs entry?

SplunkSN
Loves-to-Learn Everything
‎09-13-2023 09:50 AM

Hi All,

Is there any way to enable and disable the Splunk alerts automatically based on the  logs source.

e.g. We have Site1 and Site 2 is active-passive setup. 

 case1:- Site 1 is active and Site 2 is passive all Site 1 alerts should get enabled automatically. we can search for Site1 host as condition to enable alerts.

Case 2 :- Site 2 is active and Site 1 is passive all Site 2 alerts should get enabled automatically. we can search for Site2 host as condition to enable alerts.

 

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-13-2023 11:42 PM

Hi @SplunkSN,

if you're speaking of alerts on different Splunk servers, the only solution is to have a Search Head Cluster, so only one server will run alerts.

If instead you're speaking of alerts on one server and site1 and site2 are different hosts, you have to add this condition, as a filte, in your search.

In other words, if there's a condition to test (e.g. a status parameter, also in another search) to test to find the active host, you could run something like this:

<your_main_search> [ search <your_host_status_search> | dedup host | fields host ]
| ...

 Ciao.

Giuseppe

0 Karma
Reply

SplunkSN
Loves-to-Learn Everything
‎09-14-2023 06:51 AM

Hi @gcusello , Thank you for the reply.

Both the hosts are on same Splunk server.

We don't have any parameter in logs which identify. currently active site so we are using Host naming e.g., HostSite1, Hostsite2), how we would automate enable/disable of alerts based on the host name.

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2023 07:10 AM

Hi @SplunkSN,

ok, but the logs you're using for the alert, come from two different hosts, one active and one passive.

So, if I correctly understood, you want to use only host1 if host1 is the active one and host2 if this is the active one.

One question, can you have both logs from host1 and host2?

if yes, are they different?

if they are the same you could dedup results using the duplicated fields that you have in your alert.

or you could group results so the host value isn't relevant, could you share your alert search?

Ciao.

Giuseppe

check if the host field in the results of your alarm is only the active host, in this case you can 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...